Sorry, my name is root, I have been root for decades, I like it when
the operations are allowed to succeed, and not deliberately failed.
The entire purpose of many "insecurity" features are to invoke nothing
but failure. I disagree.
The security policy I like is to stop the bad guys at the door. If you
have bad guys roaming around your house, it is already too late. I
want any operation which authenticates or verifies to be correct, and
in this day and age of crystallographic protocols and validation it is
completely possible to do a good job. These hacks are a sign of failure
to detect and stop bad guys before they do damage.
Frequently, the worst bad guys used to be good guys (pun). The real
problem is to make sure the development environment is desirable
and secure, so that the effort is cohesive.
Anyway... I have completed the backup, installed the stage3 system,
and have 80% of the world built. Still have kernel and tweaks to do,
but should have a system soon. Gentoo is a "difficult" system to have
to install from scratch. Seems unnecessarily abstruse.
On Wed, Apr 27, 2016 at 3:54 PM, Miroslav Rovis <
miro.rovis@???> wrote:
> So more progess there has been.
>
> On 160427-13:05-0600, Good Guy wrote:
> > cd cinelerra5/cinelerra-5.1
> > echo "EXTRA_LIBS += -lva" >> global_config
> > echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
> > sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> > sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> > ./configure shared
> > make >& log
> >
>
> I'm also writing this for general *nix users when this is hopefully
> posted as you gave me permission to. I'll give the complete output from
> the terminal. Note that there are two issuing of /opt/cin/cinelerra, the
> first will be seen, later, in the log that I will alos give, as "denied
> execution of /opt/cin/cinelerra" and the second as "exec of
> /opt/cin/cinelerra.
>
> miro@gcn ~ $ /opt/cin/cinelerra
> bash: /opt/cin/cinelerra: Permission denied
> miro@gcn ~ $
> miro@gcn ~ $ /opt/cin/cinelerra
> sh: pactl: command not found
>
> Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git (c)2015:
> Adam Williams
>
> Cinelerra is free software, covered by the GNU General Public License,
>
> and you are welcome to change it and/or distribute copies of it under
>
> certain conditions. There is absolutely no warranty for Cinelerra.
>
>
> MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: could
> not create udev device for fd 6 MESA-LOADER: could not create udev
> device for fd 6 init plugin index: /opt/cin/plugins int
> PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/blending/chromakeyhsv.plugin =
> /opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_blond.plugin =
> /opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_blond_cv.plugin =
> /opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_blue.plugin =
> /opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_blue_dot.plugin =
> /opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_bright.plugin =
> /opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_hulk.plugin =
> /opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_pinklady.plugin =
> /opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_suv.plugin =
> /opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
> protections: Permission denied
>
> int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
>
> PluginServer::open_plugin: load_obj
> /opt/cin/plugins/themes/theme_unflat.plugin =
> /opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
> protections: Permission denied
>
> init ladspa index: /opt/cin/ladspa
> MWindow::init_theme: prefered theme S.U.V. not found.
> MWindow::init_theme: theme_plugin not found.
> unjoined tids / owner 1
> 000003297c18b700 / 000003298d7eb740 12BC_Clipboard
> miro@gcn ~ $
>
> Just to tell that Cinelerra showed the little opening window in the
> middle of the screen, but did not freeze like in the last attempt.
> Instead it exited and returned the command prompt. The previous attempt
> can be read at:
>
> http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
> And it shows the Cinelerra girl holding huge 5.1 notice
>
> The same happened. Only, it exited gracefully (it that's what giving the
> command prompt back is).
>
> Now the logs:
>
> Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning it
> to user and group miro:miro.
>
> Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec of
> /bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
> uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> gid/egid:0/0
>
> RBAC enabled, just to see what will happen.
>
> Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec of
> /bin/grep (grep --colour=auto RBAC /proc/3278/status ) by
> /bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
>
> Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bash)
> denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> uid/euid:1000/1000 gid/egid:1000/1000
>
>
> Checking it TPE was enabled. Can't show, but I remember it was not.
> Neither tpe nor tpe_restrict_all.
>
> Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bash)
> denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:26297]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> uid/euid:1000/1000 gid/egid:1000/1000
>
> Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec of
> /bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
> /bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
>
> Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec of
> /bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26303]
> uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> gid/egid:0/0
>
>
> Disabling RBAC:
>
> Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec of
> /sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
> gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
>
> ...[36 lines cut here]...
>
> Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
> /opt/cin/cinelerra (/opt/cin/cinelerra ) by
> /opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/1000,
> parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000
>
> I hope this pulseaudio command does no harm. Only pure alsa here.
>
> Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash (sh
> -c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1000
> gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
> uid/euid:1000/1000 gid/egid:1000/1000
>
> The crucial PT_GNU_STACK, and RWX mprotect lines:
>
> Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking stack
> executable as requested by PT_GNU_STACK marking in
> /opt/cin/plugins/blending/chromakeyhsv.plugin by
> /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> gid/egid:1000/1000
>
> Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprotect
> of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> uid/euid:1000/1000 gid/egid:1000/1000
>
> Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking stack
> executable as requested by PT_GNU_STACK marking in
> /opt/cin/plugins/themes/theme_blond.plugin by
> /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> gid/egid:1000/1000
>
> Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprotect
> of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> uid/euid:1000/1000 gid/egid:1000/1000
>
> Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, logging
> disabled for 10 seconds
>
>
> And here is where a hardened dev could help us... I've been studying
> these days (but only for small part of the time, this testing takes a
> lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
> issue, and I'll try and post next to grsecurity Forums:
>
> Building Cinelerra and stack exec and mprotect issues
>
> https://forums.grsecurity.net/viewtopic.php?f=3&t=4453&sid=6acf30eee27f95dd5bc31d4d282cae77
>
> as I have collected some links that could help us here...
>
> --
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr
>
(text/plain)